Is ServletResponse.reset() a viable way block unauthorized (logged-out) users from accessing servlets?

Question

I'm wondering if ServletResponse.reset() is the extra step I need to block non-logged-in users from accessing servlets, or if there are risks or downsides to it.

Background:

The way my website works, initially users can only see certain pages after they create an account and login with those credentials. The problem I was initially having was, even though I used session.invalidate(), when a user logged-out, they could re-send the request (for example, via the back button) and were able to access restricted contents from the unauthorized state. Assuming the session is expired, as per above, I'm not sure how that's even possible or what can properly be done to prevent it.

Through experimentation, as a workaround, I tried ServletResponse.reset(), and that seemed to resolve it, but I don't understand why it works, and hence, I'm not confident it is a robust viable solution.

My specific questions are:

• Is resetting the response buffer (including header and http status code) a safe or recommended practice, or is there a better way to do it?

• How can I manage logging in with the session object as opposed to using a session cookie?

Answer 1

I don't think ServletResponse.reset() will hurt anything but it isn't standard operating procedure and it shouldn't be necessary. Just make sure you're doing the right things both invalidating and validating sessions.

Invalidating session:

• Call session.invalidate() to remove session attributes bound to a session, but also be sure your code explicitly removes it's own stale references to the previous session state. Session cookies can be explicitly removed by locating the cookie with exact matching criteria and setting its maximum age to 0.

Validating session:

• When authenticating, you can check whether getSession(false) returns null to determine if there is an active session. If so you can invalidate it then, and you can also check request.isRequestedSessionIdValid(), or explicitly check for the presence any specific attributes you've used in your session management scheme. That will let you verify the state of the session properly.

From the JavaDocs:

ServletResponse

    ^{void reset()}

        ^{Clears any data that exists in the buffer as well as the status code and headers. If the response has been         committed, this method throws an IllegalStateException.}

    ^{void invalidate()}

        ^{Invalidates this session then unbinds any objects bound to it.}

ServletRequest

    ^{boolean isRequestedSessionIdValid()}

        ^{Checks whether the requested session ID is still valid.}

    ^{HttpSession getSession(boolean create)}

        ^{Returns the current HttpSession associated with this request or, if there is no current session and create is true,
        returns a new session. If create is false and the request has no valid HttpSession, this method returns null.
        To make sure the session is properly maintained, you must call this method before the response is committed.
         is using cookies to maintain session integrity and is asked to create a new session when the response is         committed, an IllegalStateException is thrown.}